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Preface 



The Department of Homeland Security (DHS) Office of Inspector General (OIG) was 
established by the Homeland Security Act of 2002 (Public Law 107-296) by amendment 
to the Inspector General Act of 1978. This is one of a series of audit, inspection, and 
special reports prepared as part of our oversight responsibilities to promote economy, 
efficiency, and effectiveness within the department. 

The attached report presents the results of the Federal Law Enforcement Training 
Center's financial statement audits for fiscal years (FY) 2009 and 2008. We contracted 
with the independent public accounting firm KPMG LLP (KPMG) to perform the audits. 
The contract required that KPMG perform its audits according to generally accepted 
government auditing standards and guidance from the Office of Management and Budget 
and the Government Accountability Office. KPMG concluded that FLETC's 
consolidated financial statements as of and for the years ended September 30, 2009 and 
2008, are presented fairly, in all material respects, in conformity with U.S. generally 
accepted accounting principles. The FY 2009 auditors' report discusses two material 
weakness, and two significant deficiencies in internal control. KPMG is responsible for 
the attached auditors' report, and the conclusions expressed in the report. We do not 
express opinions on FLETC's financial statements or provide conclusions on compliance 
with laws and regulations. 

The recommendations herein have been discussed in draft with those responsible for 
implementation. We trust this report will result in more effective, efficient, and 
economical operations. We express our appreciation to all of those who contributed to 
the preparation of this report. 




Richard L. Skinner 
Inspector General 



KPMG LLP 

2001 M Street, NW 
Washington, DC 20036 



Independent Auditors' Report 

Inspector General 

U.S. Department of Homeland Security: 
Director 

Federal Law Enforcement Training Center: 

We have audited the accompanying consolidated balance sheets of the U.S. Department of 
Homeland Security's (DHS) Federal Law Enforcement Training Center (FLETC) as of 
September 30, 2009 and 2008, and the related consolidated statements of net cost and changes in 
net position, and combined statements of budgetary resources (hereinafter referred to as 
"consolidated financial statements") for the years then ended. The objective of our audits was to 
express an opinion on the fair presentation of these consolidated financial statements. In 
connection with our fiscal year 2009 audit, we also considered FLETC s internal control over 
financial reporting and tested FLETC 's compliance with certain provisions of applicable laws, 
regulations, and contracts that could have a direct and material effect on these consolidated 
financial statements. 

Summary 

As stated in our opinion on the consolidated financial statements, we concluded that FLETC 's 
consolidated financial statements as of and for the years ended September 30, 2009 and 2008, are 
presented fairly, in all material respects, in conformity with U.S. generally accepted accounting 
principles. 

Our consideration of internal control over financial reporting resulted in the following conditions 
being identified as significant deficiencies: 

A. Financial Reporting 

B. Information Technology General and Security Controls 

C. Controls over the Revenue Process 

D. Controls over the Accounts Payable Estimation Methodology 

We consider significant deficiencies A and B, above, to be material weaknesses. 

The results of our tests of compliance with certain provisions of laws, regulations, and contracts 
disclosed no instances of noncompliance or other matters that are required to be reported herein 
under Government Auditing Standards and OMB Bulletin No. 07-04, Audit Requirements for 
Federal Financial Statements, as amended. 



KPMG LLP. a U.S. limited liability partnership, is the U.S. 
member firm of KPMG International, a Swiss cooperative. 



The following sections discuss our opinion on FLETC's consolidated financial statements; our 
consideration of FLETC's internal control over financial reporting; our tests of FLETC's 
compliance with certain provisions of applicable laws, regulations, and contracts; and 
management's and our responsibilities. 

Opinion on the Consolidated Financial Statements 

We have audited the accompanying consolidated balance sheets of the U.S. Department of 
Homeland Security's Federal Law Enforcement Training Center (FLETC) as of September 30, 
2009 and 2008, and the related consolidated statements of net cost and changes in net position, 
and the combined statements of budgetary resources for the years then ended. 

In our opinion, the consolidated financial statements referred to above present fairly, in all 
material respects, the financial position of FLETC as of September 30, 2009 and 2008, and its net 
costs, changes in net position, and budgetary resources for the years then ended, in conformity 
with U.S. generally accepted accounting principles. 

The information in the Management's Discussion and Analysis and Required Supplementary 
Information is not a required part of the consolidated financial statements, but is supplementary 
information required by U.S. generally accepted accounting principles. We have applied certain 
limited procedures, which consisted principally of inquiries of management regarding the 
methods of measurement and presentation of this information. However, we did not audit this 
information and, accordingly, we express no opinion on it. 

Our audits were conducted for the purpose of forming an opinion on the consolidated financial 
statements taken as a whole. The information in the Other Accompanying Information section is 
presented for purposes of additional analysis and is not required as part of the consolidated 
financial statements. This information has not been subjected to auditing procedures and, 
accordingly, we express no opinion on it. 

Internal Control Over Financial Reporting 

Our consideration of the internal control over financial reporting was for the limited purpose 
described in the Responsibilities section of this report and was not designed to identify all 
deficiencies in the internal control over financial reporting that might be deficiencies, significant 
deficiencies, or material weaknesses. 

A deficiency in internal control exists when the design or operation of a control does not allow 
management or employees, in the normal course of performing their assigned functions, to 
prevent, or detect and correct misstatements on a timely basis. A significant deficiency is a 
deficiency, or a combination of deficiencies, in internal control that is less severe than a material 
weakness, yet important enough to merit attention by those charged with governance. A material 
weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a 
reasonable possibility that a material misstatement of FLETC's consolidated financial statements 
will not be prevented, or detected and corrected on a timely basis. 

In our fiscal year 2009 audit, we identified certain deficiencies in internal control over financial 
reporting that we consider to be material weaknesses, described in Exhibit I, and other 
deficiencies that we consider to be significant deficiencies, described in Exhibit II. Exhibit III 
presents the status of prior year material weaknesses and significant deficiencies. 



Compliance and Other Matters 

The results of our tests of compliance described in the Responsibilities section of this report 
disclosed no instances of noncompliance or other matters that are required to be reported herein 
under Government Auditing Standards or OMB Bulletin No. 07-04. 

We noted certain additional matters that we have reported to management of FLETC in a separate 
letter dated December 31, 2009. 

Responsibilities 

Management's Responsibilities. Management is responsible for the consolidated financial 
statements; establishing and maintaining effective internal control; and complying with laws, 
regulations, and contracts applicable to FLETC. 

Auditors' Responsibilities. Our responsibility is to express an opinion on the fiscal year 2009 
and 2008 consolidated financial statements of FLETC based on our audits. We conducted our 
audits in accordance with auditing standards generally accepted in the United States of America; 
the standards applicable to financial audits contained in Government Auditing Standards, issued 
by the Comptroller General of the United States; and OMB Bulletin No. 07-04. Those standards 
and OMB Bulletin No. 07-04 require that we plan and perform the audits to obtain reasonable 
assurance about whether the consolidated financial statements are free of material misstatement. 
An audit includes consideration of internal control over financial reporting as a basis for 
designing audit procedures that are appropriate in the circumstances, but not for the purpose of 
expressing an opinion on the effectiveness of FLETC 's internal control over financial reporting. 
Accordingly, we express no such opinion. 

An audit also includes: 

• Examining, on a test basis, evidence supporting the amounts and disclosures in the 
consolidated financial statements; 

• Assessing the accounting principles used and significant estimates made by management; 
and 

• Evaluating the overall consolidated financial statement presentation. 
We believe that our audits provide a reasonable basis for our opinion. 

In planning and performing our fiscal year 2009 audit, we considered FLETC 's internal control 
over financial reporting by obtaining an understanding of FLETC 's internal control, determining 
whether internal controls had been placed in operation, assessing control risk, and performing 
tests of controls as a basis for designing our auditing procedures for the purpose of expressing our 
opinion on the consolidated financial statements. We did not test all controls relevant to operating 
objectives as broadly defined by the Federal Managers' Financial Integrity Act of 1982. The 
objective of our audit was not to express an opinion on the effectiveness of FLETC 's internal 
control over financial reporting. Accordingly, we do not express an opinion on the effectiveness 
of FLETC s internal control over financial reporting. 

As part of obtaining reasonable assurance about whether FLETC 's fiscal year 2009 consolidated 
financial statements are free of material misstatement, we performed tests of FLETC 's 
compliance with certain provisions of applicable laws, regulations, and contracts, noncompliance 



with which could have a direct and material effect on the determination of the consolidated 
financial statement amounts, and certain provisions of other laws and regulations specified in 
OMB Bulletin No. 07-04. We limited our tests of compliance to the provisions described in the 
preceding sentence, and we did not test compliance with all laws, regulations, and contracts 
applicable to FLETC. However, providing an opinion on compliance with laws, regulations, and 
contracts was not an objective of our audit and, accordingly, we do not express such an opinion. 



FLETC 's responses to the findings identified in our audit are attached to this report. We did not 
audit FLETC 's responses and, accordingly, we express no opinion on them. 

This report is intended solely for the information and use of FLETC s management, DHS 
management, the DHS Office of Inspector General, OMB, the U.S. Government Accountability 
Office, and the U.S. Congress and is not intended to be and should not be used by anyone other 
than these specified parties. 

K!p^g lcp 

December 31, 2009 
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I-A Financial Reporting 

Background: The U.S. Department of Homeland Security's (DHS) Federal Law Enforcement 
Training Center's (FLETC) primary line of business is to provide law enforcement training at its 
four US facilities for DHS components and over 80 Federal, state and local agencies. Annual 
appropriations are used to pay for certain types of training, while the cost of other, typically 
advanced and specialized, training is reimbursed by the other agencies. Generally, FLETC enters 
into annual reimbursable agreements with their customers, and bills applicable training charges 
on a monthly basis. 

In addition, to ensure that its facilities and training programs are state-of-the-art and able to meet 
the changing needs of its customers, FLETC is continuously maintaining, modifying, and 
constructing new property, plant and equipment. FLETC also provides construction contract 
management services for certain DHS components and other Federal agencies to facilitate the 
building of specialized training facilities. FLETC pays for the cost of construction with both its 
own appropriations and other Federal agency dedicated appropriations. 

Conditions: We identified the following control deficiencies which in combination are considered 
a material weakness in internal controls over financial reporting: 

Environmental Liabilities 

In performing test work procedures over environmental disposal liabilities, we noted that FLETC 
does not have adequate policies and procedures in place whereby Environmental and Safety 
Division (EVS) identifies, assesses, estimates, and reports environmental liabilities to the Finance 
Division throughout the year. 

Within the Finance Division, FLETC does not have adequate supervisory and monitoring controls 
in place to effectively manage (through policies and procedures) the annual process of estimating 
the environmental liability (in coordination with EVS), and performing the appropriate level of 
review of EVS' work. 

We identified mathematical errors in the environmental disposal liability (EDL) report provided 
by EVS as well as calculation errors on several buildings on the Charleston campus with lead 
based paint which were either not included in the EVS report and/or had the incorrect square 
footage used to estimate the environmental liability related to lead based paint. As a result, 
FLETC subsequently increased their September 30, 2009 environmental liability estimate from 
$20.7 million to $22.4 million. 

Imputed Costs and Financial Reporting Process 

In performing test work over the reasonableness of imputed costs, we noted the following: 

• When calculating inter-entity imputed costs related to instructors, FLETC used the 
incorrect number of instructors for one entity, overstating the number of instructors by 12. 

• When calculating imputed costs related to the Office of Personnel Management, FLETC 
used the incorrect payroll expense amounts, overstating payroll expenses by 
approximately $38 million. 

Additionally, in performing test work procedures over net position, we identified a $5.6 million 
difference between unexpended appropriations and cumulative results of operations (CRO). We 
noted that FLETC erroneously posted transactions related to reimbursable funds to Standard 
General Ledger (SGL) account 3100, Unexpended Appropriations, rather than SGL 6100, 
Operating Expenses, which closes to CRO. 
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In addition, during the preparation of the Annual Financial Report (AFR), several errors were 
noted including the following: 

• The Statement of Budgetary Resources (SBR) to President's Budget footnote was not 
properly prepared as the note did not agree to the FY 2008 SBR. 

• The Summary of Significant Accounting Policies footnote had not been updated to 
reflect current year accounting policies, including the implementation of Statement of 
Federal Financial Accounting Standards (SFFAS) No. 30, Inter-Entity Cost 
Implementation. 

• Beginning balance adjustments within the SBR were not reflected in the updated 
AFR. 

• Footnotes were not updated to reflect all top side entries. 

• Footnotes did not agree to the consolidated financial statements. 

• FY 2008 consolidated financial statement amounts were incorrectly changed from the 
amounts reflected in the issued FY 2008 financial statements. 

Allowance for Doubtful Accounts 

In performing test work procedures over the allowance for doubtful accounts, we noted that the 
allowance was erroneously applied to the receivable balance with the public and not to other 
federal entities. This resulted in a negative public receivable balance. 

Property, Plant, and Equipment (PP&E) 

KPMG selected a judgmental sample of 20 PP&E additions during the 9 months ended June 30, 
2009, totaling $17.8 million or approximately 85% of the total PP&E additions of $21.1 million, 
and noted that FLETC had not timely accounted for asset acquisitions or transferred completed 
assets from construction-in-progress (CIP) to in-use assets in its general ledger. Eleven sample 
items, or 55%, were not timely recorded in the Momentum (also referred to as the Financial 
Accounting and Budgeting System ("FABS")) fixed asset module (transactions were recorded 30 
days or more after the asset acquisition or in-service date). Of the 1 1 untimely additions, 10 items 
were completed CIP projects that were transferred to real property and 1 item was equipment. 

FLETC did not always enter correct asset data in the Momentum fixed asset module as follows: 

• For one sample item, the Momentum fixed asset module did not contain the in-service 
date. 

• For two sample items, the Momentum fixed asset module contained an incorrect catalog 
code which resulted in Momentum computing an incorrect useful life. 

While performing substantive audit procedures over additions to CIP for the nine months ended 
June 30, 2009, 2 of the 14 CIP additions tested, relating to one construction project, were not 
properly capitalized as CIP in the general ledger as follows: 

• FLETC incorrectly capitalized $59 thousand of furniture as construction-in-progress 
rather than capitalizing the items as a bulk purchase in SGL 1750, Equipment. 

• FLETC incorrectly expensed approximately $616 thousand of furniture that should have 
been capitalized as part of the bulk purchase mentioned above and expensed 
approximately $53 thousand of Information Technology (IT) wiring that should have 
been capitalized as part of the construction project in SGL 1720, Construction-in- 
Progress. 
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During a site-visit to the Charleston, SC facility, it was identified that adequate processes to 
account for leasehold improvements did not exist. KPMG notes that the Finance Division was 
unaware of the existence of several lease agreements. 

In addition, FLETC's review conducted to assist DHS with its compliance with the Federal 
Manager Financial Integrity Act of 1982 (FMFIA) and Office of Management and Budget 
(OMB) Circular A- 123, Management's Responsibility for Internal Control, did not identify all the 
material weaknesses that we identified during our audit as described above and in Comment I-B 
Information Technology General and Security Controls. Generally, management's review, for 
purposes of reporting under FMFIA and OMB Circular A- 123, should result in identification of 
similar, if not the same, control deficiencies over financial reporting, as identified by the external 
financial statement auditors. 

Cause/Effect: 
Environmental Liabilities 

The EVS does not have adequate policies or procedures in place surrounding the preparation of a 
detailed analysis supporting the environmental liabilities estimate. In addition, the Finance 
Division has not fully assumed responsibility for the accuracy of environmental liabilities 
presented in the consolidated financial statements, and did not conduct a detailed review of EVS' 
work. In FY 2009, FLETC posted adjustments to increase the environmental liability balance by 
approximately $1.8 million as a result of errors noted during the audit. 

Imputed Costs & Financial Reporting Process 

FLETC does not have adequate policies and procedures in place requiring the performance of a 
thorough review of financial reporting information resulting in the following: 

• An adjustment to reduce imputed costs by approximately $6.4 million. 

• An adjustment to reclassify approximately $5.6 million between unexpended appropriations 
and expenses (i.e. CRO). 

• Corrections to the AFR totaling over $30 million. 

Allowance for Doubtful Accounts 

FLETC did not properly review the year-end analysis of the allowance for doubtful accounts prior 
to approving the journal entry resulting in the full reserve being applied to the non-federal 
receivable. As a result of the error in classifying the allowance from non-federal to federal, 
FLETC posted an adjustment for approximately $744 thousand. 

Property, Plant, and Equipment 

The FLETC Property Management Division and Project Site Managers are not effectively 
coordinating with the Finance Division to actively monitor the CIP accounts and other 
acquisitions to ensure completed projects and other acquisitions are reclassified to the appropriate 
general property, plant, and equipment account to ensure that depreciation commences in a timely 
manner. 

Financial Reporting Branch (FRB) review of data entered into the Momentum fixed asset module 
was not effective in the identification and correction of input errors. 

FLETC's budgetary controls over the monitoring of Purchase Requisition accounting lines (used 
by Momentum to post expenditures to the SGL) are not effective. In addition, FLETC does not 
have adequate policies and procedures over bulk purchases. FLETC does not perform a review of 
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capitalizable (equipment) budget object classes (BOC) that were recorded as expenses to identify 
potentially capitalizable transactions. 

The known errors, related to the untimely capitalization of assets, resulted in depreciation 
expense and accumulated depreciation being overstated by a total of approximately $ 1 5 thousand. 

As a result of the exceptions noted related to the improper expensing and capitalization of PP&E, 
FLETC performed an analysis of expense transactions with budget object class 31XX to identify 
similar transactions. As a result of the analysis, FLETC identified approximately $2.9 million of 
assets which had been improperly expensed, one of which was a bulk purchase of computers. In 
addition, we noted an exception in our expense test work for an item, $620 thousand, which was 
improperly expensed and noted that these assets were properly identified in FLETC's analysis. 

Internal controls designed to ensure the completeness and accuracy of leasehold improvements at 
all facilities were not operating effectively during FY 2009. Prior to an adjustment posted by 
FLETC, the FY 2009 ending balances of Leasehold Improvements and Accumulated 
Depreciation - Leasehold Improvements were understated by approximately $3.0 million and 
$400 thousand, respectively; and the amounts reported for Buildings and Accumulated 
Depreciation - Buildings were overstated by approximately $3.0 million and $400 thousand, 
respectively. 

Criteria: 

Environmental Liabilities 

SFFAS No. 5, Accounting for Liabilities of the Federal Government, provides the definition and 
general principle for recognition of liabilities in paragraph 19: "A liability for federal accounting 
purposes is a probable future outflow or other sacrifice of resources as a result of past transactions 
or events." Technical Release No. 2, Determining Probable and Reasonably Estimable for 
Environmental Liabilities in the Federal Government, states, "liabilities shall be recognized when 
the following conditions are met: 

• a past transaction or event has occurred, 

• a future outflow or other sacrifice of resources is probable, and 

• the future outflow or sacrifice of resources is measurable." 

Technical Release No. 2 also states the following regarding due care: "Due care refers to a 
reasonable effort to identify the presence or likely presence of contamination. Due care is 
considered to be exercised if an agency has effective policies and procedures in place to routinely 
attempt to identify contamination and forward that information to the responsible agency 
official." Procedures that are evidence of the exercise of due care are further described in 
Technical Release No. 2. 

SFFAS No. 6, Accounting for Property, Plant, and Equipment, defines clean-up costs in 
paragraph 85 as: "...the costs of removing, containing, and/or disposing of (1) hazardous waste 
. . . from property, or (2) material and/or property that consists of hazardous waste at permanent or 
temporary closure or shutdown of associated PP&E." Furthermore, paragraph 87 clarifies that 
"[c]leanup may include, but is not limited to, decontamination, decommissioning, site restoration, 
site monitoring, closure, and postclosure costs." 
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Imputed Costs, Financial Reporting & Allowance for Doubtful Accounts 

OMB Circular A- 123, defines management's responsibility for internal control and provides 
guidance to Federal managers on improving the accountability and effectiveness of Federal 
programs and operations by establishing, assessing, correcting, and reporting on internal control. 
Under OMB Circular A- 123, "[w]ithin the organizational structure, management must clearly: 
define areas of authority and responsibility; appropriately delegate the authority and 
responsibility throughout the agency; establish a suitable hierarchy for reporting; support 
appropriate human capital policies for hiring, training, evaluating, counseling, advancing, 
compensating, and disciplining personnel; and uphold the need for personnel to possess and 
maintain the proper knowledge and skills to perform their assigned duties as well as understand 
the importance of maintaining effective internal control within the organization." 

Property, Plant, and Equipment 

OMB Circular A- 123, states that transactions should be promptly recorded, properly classified 
and accounted for in order to prepare timely and reliable financial and other reports. 
Documentation for transactions, management controls, and other significant events must be clear 
and readily available for examination. 

Per FLETC Finance (FIN) Standard Operating Procedures (SOP) No. 5, Capitalization of Assets, 
"The Property Accountant forwards the JV [journal voucher] with substantiating documents to 
the supervisor, who approves the JV in Momentum. Prior to approving the JV, the supervisor 
queries the asset record FA [fixed asset document type] entered by Property Management 
Division (PMD) and verify that all data fields, especially, in-service date, useful life, depreciation 
method, capitalization, and acquisition cost, are accurately entered. The supervisor will contact 
PMD for any missing, incomplete or erroneous data for correction. When verified as complete, 
the supervisor screen prints the asset FA or FC [fixed asset change document type] record 
transaction and includes it in the JV supporting documents." 

Per FLETC Property Management Division SOP No. 9, Real Property Standard Operating 
Procedures, Section VI, "Property Management Division (PMD) is responsible for: 

a. Acting as the repository for real property files, excluding full size prints and plans. 
These files shall include, but are not limited to the following: maps, legal 
descriptions of the properties, copies of the title, metes and bounds surveys, 
historic significance, Americans with Disabilities (ADA) surveys, capitalization 
reports, copies of MOUs, MOAs, and license or lease agreements, copies of 
contracts and copies of invoices/bills, transfer-in documents, space utilization data, 
annual consolidated utilities and communications reports, annual operations and 
maintenance cost, deferred maintenance cost, annual security cost, documented 
environmental liabilities and management, documented fire, life safety and 
security issues and programs, a copy of the facility allocation listing maintained by 
the Strategic & Planning Analysis Division (SPA), and real property disposal 
records. 

b. Maintaining and updating official real property records. The PMD Inventory 
Management Specialist shall input all capitalized real property acquisitions into 
the Asset Management System within five working days of receipt of the final 
copy of the Capitalization Report from FIN. The final Capitalization Report is 
accompanied by copies of paid invoices and contracts from FIN. 
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Facilities Management Division (FMD) is responsible for: 

a. Submitting copies of all Capitalization Reports to FIN within 1 calendar 
days of any of the following: 

• beneficial occupancy of any building, 

• completion of any facility or structure, or 

• final decision of additional cost resulting from litigation. 

9. Finance Division (FIN) is responsible for: 

a. Submitting approved Capitalization Reports to PMD with validated construction/ 
renovation/project costs and copies of paid invoices (less in-house labor costs) and 
contracts within two (2) work days after receipt of Capitalization Report from FMD." 

SFFAS No. 6: Accounting for Property, Plant & Equipment, states that the operating 
performance objective of SFFAS No. 6 seeks to ensure that federal agencies report, 

"...relevant and reliable cost information for decision-making by internal users (e.g., program 
managers, budget examiners and officials); comprehensive, comparable cost information for 
decision-making and program evaluation by Congress and the public; and information to help 
assess the efficiency and effectiveness of asset management (e.g., condition of assets including 
deferred maintenance)." 

(h) General PP&E shall be reported in the basic financial statements: the balance sheet, and the 
statement of net cost. The acquisition cost of general PP&E shall be recognized as an asset. 
Subsequently, except for land which is a non-depreciable asset, that acquisition cost shall be 
charged to expense through depreciation. The depreciation expense shall be accumulated in a 
contra asset account — accumulated depreciation. 

Capitalization Threshold 

(148) The Federal Accounting Standards Advisory Board (the Board) believes that Federal 
entities are sufficiently diverse that one threshold would not be suitable for all entities. 

(149) Instead of setting a specific threshold, the Board has adopted a materiality approach — just 
as is done in private sector accounting. Each entity would establish its own threshold as well as 
guidance on applying the threshold to bulk purchases. The Board believes that permitting 
management discretion in establishing capitalization policies will lead to a more cost-effective 
application of the accounting standards. 

Per FLETC Property Management Function Process Documentation (8/18/2008) 

Capitalized: The Capitalized field is automatically set to 'Yes' for items over the $50,000. 
-All equipment with a unit cost of over $50,000 and estimated useful life of 2 years or more is 
capitalized. FLETC does not use the "original complement" concept, wherein original shipments 
of multiple small assets may be capitalized if their total value exceeds the capitalization 
threshold. 

Per DHS FMP01 9: Capitalization and Depreciation of Personal Property 

Bulk Purchases. The single purchase of like items in a lot, with the cost of each individual item 
being below the established capitalization threshold. 
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(2) Capitalization 

(A) Bulk purchases will be subject to a capitalization threshold of $1,000,000. 

(D) The threshold(s) listed above are not applicable for instances in which adopting it would 
cause a material misstatement of the financial statements of the entity when taken on a 
stand alone basis, or when the adoption of this policy would cause the entity to not be in 
compliance with Generally Accepted Accounting Principles. Should such an instance 
occur, the entity will consult with OFM for assistance in determining the correct 
capitalization threshold. 

Recommendations: 

Environmental Liabilities 

We recommend that FLETC develop and implement policies and procedures to ensure that EVS 
reviews the environmental disposal liability detail on a routine basis, at least quarterly. We also 
recommend that FLETC Finance Division implement the necessary supervisory and monitoring 
controls to effectively manage (through policies and procedures) the annual process of estimating 
the liability (in coordination with EVS) and perform the appropriate level of review of EVS's 
work. 

Imputed Costs, Financial Reporting Process & Allowance for Doubtful Accounts 
We recommend that FLETC implement policies and procedures to ensure that a timely and 
thorough review of all financial reporting documentation, including journal entries and 
preparation of the AFR, is performed prior to completion. 

Property, Plant, and Equipment 
We recommend that FLETC: 

1. Adhere to FIN SOP-5 and Property SOP 9 and any other appropriate policies and procedures 
to ensure that data, including asset in-service dates, are accurately and timely entered in the 
Momentum fixed asset module. 

2. Establish processes to improve communication between the Finance Division, Property 
Management Division, and Project Site Managers to ensure that assets are appropriately 
classified and consistently accounted for. 

3. Follow the newly implemented bulk purchase capitalization threshold of $250 thousand. 

4. Perform a more detailed review of CIP related invoices to verify that the appropriate amounts 
are capitalized or expensed. 

5. Implement a more detailed review of the accounting data before contracts are approved and 
entered into Momentum to ensure that purchases are coded to the correct BOC and therefore 
properly capitalized or expensed. 

6. Implement a periodic review of expense transactions with BOC 31XX to identify any assets 
which were improperly expensed. 



I-B Information Technology General and Security Controls 

Background: During FY 2009, FLETC took corrective action to address many of its prior year IT 
control weaknesses. The upgrade of the Financial Accounting and Budgeting System (FABS) 
[also called Momentum] and the installation of new hardware near the end of FY 2008 improved 
the overall security structure at FLETC. However, during FY 2009, we continued to identify IT 
general control weaknesses that impact FLETC 's financial data. 
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In addition, system access is a critical control element for FLETC, both from a financial 
processing perspective and an operational perspective. The Government Accountability Office 
(GAO) defines access controls as controls that should limit or detect access to computer resources 
(data, program, equipment, and facilities), thereby protecting those resources against 
unauthorized modification, loss, and disclosure. Such controls include classifying resources by 
criticality and sensitivity, identifying authorized users and access authorized, establishing 
physical and logical controls and monitoring access, investigating violations, and taking actions. 

Conditions: 

Access Controls and Configuration Management: 

• Access and configuration management weaknesses on the Glynco Administrative 
Network (GAN) and the servers that support Momentum and Student Information System 
(SIS). These weaknesses included default configuration settings, role and group policies, 
and weak password management. 

• System Engineering Life Cycle (SELC) for Momentum is not finalized. 

• Momentum system software event audit logs are not being captured and reviewed. 

• Password configuration settings for Linux, which support Momentum system software, 
allow 6 failed logon attempts before the account is locked. 

• Momentum and the GAN security violation audit logs lack management review and 
signoff 

• Momentum user profile creation or modification is not logged or tracked. 

• Weak logical access controls over the GAN and SIS were noted. 

Security Management: 

• Physical security weaknesses which identified improper protection of system user names 
and passwords, unsecured information security hardware, documentation containing 
Personally Identifiable Information (PII) or marked "For Official Use Only", (FOUO) 
and unlocked network sessions. 

Cause/Effect: FLETC has been relying on the full implementation of the Security Information 
Management (SIM) system, which will monitor Momentum system software and the GAN audit 
logs. However, this has not occurred to date due to unavailable staffing. In addition, due to the 
lack of management oversight, the Momentum approval and security logs review procedures are 
not being adhered to. The lack of audit logs may cause security related incidents to go unnoticed 
and uninvestigated, thus allowing potential unauthorized system software changes to deploy into 
the production environment. 

FLETC management has not enabled the Momentum audit logging system setting, which would 
capture user profile creation and modification. Without logging of new users and profile changes, 
FLETC would be unaware of any unauthorized additions or changes to profiles within 
Momentum. This could also lead to a violation of both separation of duties and least privilege 
principles. 

Due to lack of management oversight, GAN logical access controls and Momentum system 
software access controls have not been strengthened to meet DHS compliance. In addition, 
FLETC management considers the SIS to have a low impact on operations; therefore, sufficient 
controls have not been implemented. Yet, having weak system access controls increase the risk of 
unauthorized individuals gaining access to and improperly modifying or destroying data. Also, 
having generic/shared user accounts on a production system reduces the audit and accountability 
of users within the system. Without documenting and approving access forms to applications, 
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management is unaware of the system access an individual may possess. This could lead to a 
violation of both separation of duties and least privilege principles. Additionally, unauthorized 
users may obtain access to the systems. Without access review and recertification procedures 
being formally documented, reviewers do not have a standard for effectively conducting the 
recertification of GAN accounts. This could lead to the risk of potentially allowing users to have 
account privileges that are no longer needed, or should not have been initially granted. 

FLETC is not continuously monitoring their vulnerability assessment scans for configuration 
management vulnerabilities. As a result, default system and application configuration installations 
on the FLETC's Glynco Administrative Network (GAN), FABS, and Student Information System 
(SIS) increases the ability to compromise the availability, integrity, and confidentiality of 
financial data on the network. This can expose the information system control environment to 
security breaches, unauthorized access, service interruptions, and denial of service attacks. 

FLETC management has not ensured that personnel are adequately trained and aware of the basic 
IT security policies described by DHS and FLETC to protect their login credentials, lock network 
sessions to DHS systems, secure information system hardware, and securely store/limit access to 
FOUO and PH. The failure to control access to sensitive IT resources and FLETC documentation 
could potentially result in the theft or destruction of FLETC assets, unauthorized access to 
sensitive information, and disruptions in processing of FLETC financial systems. Additionally, 
FLETC personnel who are not adequately trained to protect their login credentials present an 
increased risk of unauthorized access to sensitive information from external and internal threats. 

Criteria: The Federal Information Security Management Act (FISMA) passed as part of the E- 
Government Act of 2002, mandates, among other things, that Federal entities maintain IT security 
programs in accordance with National Institute of Standards and Technology (NIST) guidance, 
and other applicable guidance. 

OMB Circular No. A- 130, Management of Federal Information Resources, describes specific 
essential criteria for maintaining effective general IT controls. 

DHS' Sensitive Systems Policy, 4300 A, documents policies and procedures adopted by DHS 
intended to improve the security and operation of all DHS IT systems. 

Recommendations: We recommend that the FLETC Chief Information Officer (CIO) and Chief 
Financial Officer (CFO), in coordination with the DHS Office of Chief Financial Officer and the 
DHS Office of the Chief Information Officer, make the following improvements to FLETC's 
financial management systems and associated information technology security program: 

Access Controls and Configuration Management: 

1. Redistribute procedures and train employees on continuously monitoring and mitigating 
vulnerabilities. In addition, we recommend that FLETC periodically monitor the 
existence of unnecessary services and protocols running on their servers and network 
devices, in addition to deploying patches. 

2. Continue to perform vulnerability assessments and penetration tests on all offices within 
FLETC, from a centrally managed location with a standardized reporting mechanism that 
allows for trending, on a regularly scheduled basis in accordance with NIST guidance. 

3. Develop a more thorough approach to track and mitigate configuration management 
vulnerabilities identified during monthly scans. FLETC should monitor the vulnerability 
reports for necessary or required configuration changes to their environment. 

4. Develop a process to verify that systems identified with "HIGH/MEDIUM Risk" 
configuration vulnerabilities do not appear on subsequent monthly vulnerability scan 
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reports, unless they are verified and documented as a false-positive. All risks identified 
during the monthly scans should be mitigated immediately, and not be allowed to remain 
dormant. 

5. Enable audit logging over all Momentum system software and ensure that logs are 
maintained and proactively reviewed by management. 

6. Enforce existing FLETC policy and procedures over maintenance and review of 
Momentum security violation logs. 

7. Establish and implement procedures to document and review logs of auditable events on 
the GAN. 

8. Activate logs for monitoring Momentum user profile creation and modifications. 

9. Implement the corrective actions identified during the audit vulnerability assessment as 
identified in the issued NFR. 

10. Perform periodic scans of the FLETC network environment, including the financial 
processing environment, for the identification of vulnerabilities, in accordance with 
National Institute of Standards and Technology (NIST) SP 800-42, and implement 
corrective actions to mitigate the risks associated with any vulnerabilities identified 
during periodic scans. 

11. Establish a process to ensure the GAN and Linux (Momentum system software) is 
configured to meet minimum DHS password configuration requirements. 

12. Remove all GAN and SIS generic/shared accounts and conduct periodic reviews of the 
user access lists to ensure compliance. 

13. Establish and enforce procedures for the completion and maintenance of user access 
forms for the GAN and SIS. 

14. Enforce procedures for the removal of transferred/terminated users within the GAN upon 
their separation from FLETC. 

15. Establish and implement policies and procedures for recertification of GAN user 
privileges. This process should include a method to document user recertification and a 
process to maintain evidence of the reviews. 

16. Establish a process to ensure the SIS is configured to meet minimum DHS password and 
system configuration requirements. 

17. Retain audit trail records in accordance with DHS policies in order to support potential 
incidents within the system, and for review of user privileges. 

Security Management: 

1. Ensure that users are trained and aware of safeguarding login credentials, locking 
network sessions to DHS systems, and locking any sensitive information, media 
containing sensitive information, or data not suitable for public dissemination in secure 
locations when not in use. 

2. Effectively limit access to DHS buildings, rooms, work areas, spaces, and structures 
housing IT systems, equipment, and data to authorized personnel. 

Because of the sensitivity of the information, we issued a separate limited distribution report to 
the Chief Information Officer and Chief Financial Officer of FLETC detailing the conditions 
identified and our recommendations for corrective action. 
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(See Exhibit I for Comments A and B) 
II-C Controls over the Revenue Process 

Background: FLETC bills an agency/customer for a training course upon completion. The 
billing information is sent electronically to the Finance Division from the Budget Division in the 
form of monthly Training Charges (TC) documents obtained from the Student Information 
System (SIS). The TC document lists all training costs allocated to the agency/customer by 
budget object class. A Finance Division accountant obtains the TC documents and processes 
them in Momentum, which reclassifies the expenditures from FLETC to the 
appropriate reimbursable agreement. 

In addition to the electronic TCs, the Budget Division provides the Finance Division with the 
monthly Agency Reimbursable Report' and Agency Reimbursable Report by Student', which 
lists the agencies'/customers' monthly charges by budget object class code and by individual 
student, respectively. The Finance Division accountant separates the Agency Reimbursable 
Reports by agency/customer and uses it to create the bills and billing documents in Momentum. 

Conditions: We selected a statistical sample of 2 1 training revenue transactions and an additional 
judgmental sample of 12 revenue transactions from standard general ledger account (SGL) 5200, 
Revenue from Services Provided, for the nine months ended June 30, 2009. During our test work 
procedures, we noted the following: 

• 1 instance where FLETC underfilled the customer. 

• 2 instances where FLETC overtoiled the customer. 

Due to the errors identified in the initial interim training revenue sample, described above, we 
selected an additional statistical sample of 13 training revenue transactions samples from SGL 
5200 for the same period. During our test work procedures, we noted the following: 

• 3 instances where FLETC overtoiled the customer. 

We selected a statistical sample of 22 training revenue transaction samples from SGL 5200 for 
the period July 1, 2009 through September 30, 2009. During our test work procedures, we noted 
the following: 

• 2 instances where FLETC underbilled the customer. 

• 2 instances where FLETC overtoiled the customer. 

Cause/Effect: Controls over the billing process are not designed properly to prevent an error in 
the completeness or accuracy of billing documents since there are no policies or procedures for 
Finance Division management to perform a detailed review against supporting documentation of 
the billing documents prior to issuance. 

Due to the errors identified above, FLETC underbilled the customer in 3 instances, resulting in a 
known understatement of revenue of $5,038, which resulted in a projected error of $1,736, for a 
total most likely understatement of $6,774. FLETC also overtoiled customers in 7 instances, 
resulting in a known overstatement of revenue of $45,910, which resulted in a projected error of 
$1 1,756, for a total most like overstatement of $57,666. 
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Criteria: OMB Circular A- 123, states that transactions should be promptly recorded, properly 
classified and accounted for in order to prepare timely and reliable financial and other reports. 
Documentation for transactions, management controls, and other significant events must be clear 
and readily available for examination. 

OMB Circular A- 123 also states, "The importance of internal control is addressed in many 
statutes and executive documents. The FMFIA establishes overall requirements with regard to 
internal control. The agency head must establish controls that reasonably ensure that: "(i) 
obligations and costs are in compliance with applicable law; (ii) funds, property, and other assets 
are safeguarded against waste, loss, unauthorized use or misappropriation; and (iii) revenues and 
expenditures applicable to agency operations are properly recorded and accounted for to permit 
the preparation of accounts and reliable financial and statistical reports and to maintain 
accountability over the assets." 

SFFAS No. 7, Accounting for Revenue and Other Financing Sources and Concepts for 
Reconciling Budgetary and Financial Accounting, paragraph 34 states, "Revenue from exchange 
transactions should be recognized when goods or services are provided to the public or another 
Government entity at a price." 

SFFAS No. 7, paragraph 36 states, "When services are provided to the public or another 
Government entity (except for specific services produced to order under a contract), revenue 
should be recognized when the services are performed." 

SFFAS No. 7, paragraph 38 states, "The measurement basis for revenue from exchange 
transactions should be the actual price that is received or receivable under the established pricing 
arrangements." 

Recommendations: We recommend that FLETC: 

1. Implement a review process prior to the Budget Division submitting information to the 
Finance Division to ensure the billing information is complete and accurate. 

2. Finance Division implement a review process prior to the release of customer billing 
documents to ensure bills were properly generated. 

II-D Controls over the Accounts Payable Estimation Methodology 

Background: In order to calculate the year-end accounts payable accrual, the FLETC Finance 
Division (Finance) requested that all responsible individuals (contracting officers/program 
managers) provide an estimated amount for all goods/services that had been/will be provided but 
not yet billed to FLETC by year-end. As the amounts are based on the information available as of 
year-end, the accrued amounts may not be exactly the same amount that is ultimately paid by 
FLETC subsequent to year-end. 

Conditions: KPMG selected a statistical sample of 80 accrual estimates as of September 30, 2009 
and examined the appropriateness of the accrual based on either subsequent payments and/or the 
estimation methodology. The results of testing are as follows: 

• 7 instances where the amount was over accrued by $50,000 or more. 

• 4 instances where the amount was under accrued by $50,000 or more. 
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KPMG selected a statistical sample of 69 subsequent disbursements for the period October 1, 
2009 through November 17, 2009 and noted the following: 

• 2 instances where FLETC under accrued in the total amount of $302 thousand. 

• FLETC erroneously included travel related disbursements for the period October 1, 
2008 through October 20, 2008 rather than October 1, 2009 through October 20, 2009 
in the population, resulting in approximately $146 thousand of FY 2008 transactions 
being inappropriately included in the initial subsequent disbursements sample. 

Cause/Effect: There is a lack of communication between the contracting officers/program 

managers and Finance. When estimating the year-end accrual, the contracting officers/program 

managers and Finance should work together to ensure the estimate is accurate and reasonable 

based on available supporting documentation (i.e. invoices, past payment history, etc.) 

The differences identified during test work over accounts payable accrual resulted in a net 

overstatement of accounts payable of approximately $1.3 million as of September 30, 2009 as 

follows: 

• Overstatement - known difference of $2.9 million and projected difference of $20 thousand 
for a total most likely error of $2.92 million 

• Understatement - known difference of $880 thousand and projected difference of $808 
thousand for a total most likely error of $1.69 million. 

Criteria: 

SOP-39 Standard Operating Procedures - Accounts Payable - Quarterly Liability Estimates 

a. An Accounting Operations Branch Accountant will be designated to oversee the 
procedures below and will be responsible for ensuring that proper liabilities have been recorded 
on the financial records. The Accountant will also be responsible for reviewing the open 
obligations listing and establishing a spreadsheet to ensure all obligations have been reviewed. 

b. At least one month prior to the reporting months of December, March, June and 
September, a formal letter will be signed by the CFO/DCFO and sent to the Associate Directors, 
Assistant Directors, Division and Branch Chiefs, and on-site Partner Organization 
Representatives. The letter will request assistance from COTRs and/or End Users in providing 
FIN with the estimated dollar amounts on Blanket Purchase Agreements (BPAs), Contracts, 
Lease Agreements, utilities, etc., for goods and services received but not invoiced for the quarter 
end. 

c. The quarterly estimated amounts should be provided to FIN so that "Receivers" (RC) 
and "Itemized Receivers" (IC) are processed in a timely manner before the closing at the end of 
the month or yearend. A due date of "No Later Than" the 25th day of the month before closing 
will be required. 

d. Once the letter is released, a notice/request will be sent by the accounting technicians 
to responsible individuals (COTR/End User). Emails and phone calls will be placed by the 
technicians to the COTRs, end users, or vendors (depending on type of order) to follow up on 
information needed or not received. 

e. Once the estimated amounts are received, the Accounting Technicians will process the 
RCs and/or ICs into the Momentum Financial System. If the Accounting Technicians do not 
receive a response, an estimate will be used. The estimate will be based on either historical data 
or an average amount, whichever would provide the best estimate. 

f. The Accounting Technician is required to complete a "RC/IC" Worksheet for each RC 
and IC. The worksheet will include such information as Momentum document number, amount, 
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calculation method, etc. The technician should also attach all supporting documentation to the 
worksheet. 

g. As the RC and IC are processed in Momentum, the Accounting Technician will 
provide the RC/IC Worksheet to an accountant along with supporting documentation. The 
accountant will then review and ensure all estimates have been properly calculated and recorded. 
The accountant will follow-up and/or obtain additional information if needed. 

h. The Accountant will utilize this information to review and document the Open 
Obligations Spreadsheet, as mentioned above. 

i. The Accounting Technician will utilize the Analysis Worksheet to compare the 
estimated accrual (RC/IC) to the actual payment associated with the estimate. The Accounting 
Technician will provide the Accountant with the Analysis Worksheet for further review. The 
Accountant will review all worksheets to determine if the accounts payable accrual is reasonable. 

Recommendations: We recommend that FLETC implement improved policies and procedures to 
enhance the communication between the contracting officers/program managers and Finance to 
ensure that the accrual estimate is accurate and reasonable based on the available supporting 
documentation. 
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Prior Year Condition 


As Reported at 
September 30, 2008 


Status as of September 
30, 2009 


Financial Reporting 


Material weakness: Several weaknesses 
existed related to the financial reporting 
process, including reimbursable 
construction revenue, accounts payable, 
capital assets and construction in progress, 
and adjustments to certain budgetary 
accounts. 


Partially corrected; 
repeated as Material 
Weakness 
(Comment I-A) 


Environmental Liabilities 


Material Weakness: FLETC does not 
have adequate processes, policies, and 
procedures in place whereby the EVS 
identifies, assesses, estimates, and reports 
to the Finance Division regarding the 
existence and estimate of environmental 
liabilities throughout the year. 


Repeated as 
Material Weakness 
(Comment I-A) 


Information Technology 
General and Application 
Controls 


Significant deficiency: Several 
weaknesses existed related to Financial 
Systems Security, such as IT general 
control weaknesses, entity-wide security 
program planning weaknesses, system 
software weaknesses, and service 
continuity weaknesses. 


Partially Repeated 
(Comment I-B) 


Non-compliance with the 
Anti-deficiency Act 


Instance of non-compliance: FLETC was 
not in substantial compliance with the Anti- 
deficiency Act as FLETC reported a 
violation related to classification of a 
building lease and were investigating the 
classification of two other building leases. 


Corrected 
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U. S, Department of Homeland Security 
1131 Chapel Crossing Road 
Glynco, Georgia 31524 




Homeland 
Security 



February 19, 2010 



KPMG LLP 

2001 M Street, NW 

Washington, DC 20036 

Ladies and Gentlemen: 

We are providing this letter in connection with your audit of the Federal Law 
Enforcement Training Center's (FLETC) consolidated financial statements as of 
September 30, 2009 and 2008, and the related Independent Auditors' Report. In response 
to the findings, our concurrence or non-concurrence is as follows: 

Exhibit I - Material Weaknesses 

A. Financial Reporting - we concur with the finding. 

B. Information Technology General and Security Controls - we concur with the 
finding. 

Exhibit II - Significant Deficiencies 

C. Controls over the Revenue Process - we concur with the finding. 

D. Controls over the Accounts Payable Estimation Methodology - we concur with 
the finding. 



Sincerely, 




Julie Martin 
Deputy Chief Financial Officer 
Federal Law Enforcement Training Center 



www.Ilete.gov 
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OIG HOTLINE 

To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal 
misconduct relative to department programs or operations: 

• Call our Hotline at 1-800-323-8603; 

• Fax the complaint directly to us at (202) 254-4292; 

• Email us at DHSOIGHOTLINE@dhs.gov; or 

• Write to us at: 

DHS Office of Inspector General/MAIL STOP 2600, 
Attention: Office of Investigations - Hotline, 
245 Murray Drive, SW, Building 410, 
Washington, DC 20528. 



The OIG seeks to protect the identity of each writer and caller. 



